Documentation Center
AlienVault® USM Anywhere™

NXLog Collection and Subscriptions

The final steps to complete the NXLog CE setup involve event forwarding configuration and subscription configuration.

Event Collection and Forwarding

To configure domain computers to collect and forward events

  1. Log onto all collector and source computers.

    Note: It is a best practice to use a domain account with administrative privileges.

  2. On the collector computer, launch the Administration console and enter the following command:

    wecutil qc

  3. On each source computer (every computer where you want to run logs), enter the following at an elevated command prompt:

    winrm quickconfig

  4. Add the collector computer account to the Event Reader Group.

    1. Edit the group configuration through Local Users and Group.
    2. Add the local computer NETWORK SERVICE account to the Event Log Readers Group.
    3. Change the search location for the NETWORK SERVICE account from the domain to local computer.

      This allows you to access the Security group channel.

    4. Reboot the machine.

      Note: If you don't want to reboot, you can read the Security Log without rebooting by entering wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;s-1-5-20) from an Administration console.

Subscription Configuration

Set up the event subscription to receive forwarded events on the Collector.

To add the subscription

  1. Log in as administrator to the Collector computer.
  2. Go to Administrator Tools and run Event Viewer.
  3. In the console tree, click Subscriptions.
  4. From the Actions menu, click Create Subscription.
  5. In the Subscriptions Name field, enter the name of the subscription.
  6. (Optional) In the Description field, enter a description of the subscription.
  7. In the Destination Log list, select the log file in which you want to store collected events.

    By default, collected events are stored in the ForwardedEvents log.

  8. Click Add, and select the computers from which to collect events.
  9. To test connectivity to the source computer, click Test.
  10. Click Select Events.
  11. In the Query Filter dialog, use the controls to specify the criteria that events must meet to be collected.

    To take full advantage of USM Anywhere detection capabilities, AlienVault recommends the following minimum list of channels.

    • Windows Logs → Application
    • Windows Logs → Security
    • Windows Logs → System
    • Windows Logs → Security
    • Application and Services Logs → Microsoft → Windows → AppLocker
    • Application and Services Logs → Microsoft → Windows → PowerShell
    • Application and Services Logs → Microsoft → Windows → Sysmon
    • Application and Services Logs → Microsoft → Windows → Windows Defender
    • Application and Services Logs → Microsoft → Windows → Windows Firewall with Advanced Security
    • Application and Services Logs → Windows PowerShell

    USM Anywhere supports a full list of channels, which allows it to detect a wide array of specific types of attacks on the MS Windows platform.

  12. You can also enable Security Group auditing and Registry auditing on certain sensitive registry keys, such as HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\ PowerShell\1\ShellIds\Microsoft.PowerShell.

  13. Under Advanced, select Minimize Latency.

  14. In the Subscription Properties dialog, click OK.

    This adds the subscription to the Subscriptions pane and, if the operation was successful, the status of the subscription becomes Active.

  15. Right-click the new subscription and select Runtime Status to verify its status.

    If you have trouble connecting to the source computer, check that the Windows Firewall on the source computer allows inbound connections on TCP port 5985 from the collector.

  16. To test forwarding, create test events using eventcreate on the source computer.

    eventcreate /t error /id 100 /l application /d "Custom event in application log"

Export the Subscription Sonfigurations

If you are replacing a machine in your network, but you want to run both together for some time without having to reset Event Log Subscriptions manually on the new computer, you can export and re-import all the Event Log Subscriptions settings.

To export subscription configurations

  1. From the command line, list the subscriptions.

    wecutil es

  2. Export the subscriptions.

    wecutil gs "<subscriptionname>" /f:xml >>"C:\Temp\<subscriptionname>.xml"

  3. Import the subscription.

    wecutil cs "<subscriptionname>.xml"

    Note: Importing a subscription with a custom QueryList doesn't work.

  4. (Optional) To use a custom query list, create a subscription as previously described, or import a subscription that uses standard settings.
  5. Open the subscription and click Select Events.
  6. Click the XML tab, select Edit query manually, and paste it in your custom QueryList.
  7. Click OK, then OK again.

Troubleshooting Subscription Configuration Exports

For basic troubleshooting, see http://windowsitpro.com/security/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and-collec.

For a more advanced configuration, see https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection#how-frequently-are-wef-events-delivered.